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Abstract 

We show how to compress communication in distributed protocols in which parties do not 
have private inputs. More specifically, we present a generic method for converting any protocol 
in which parties do not have private inputs, into another protocol where each message is “short” 
while preserving the same number of rounds, the same communication pattern, the same output 
distribution, and the same resilience to error. Assuming that the output lies in some universe of 
size M, in our resulting protocol each message consists of only polylog(M, n, d) many bits, where 
n is the number of parties and d is the number of rounds. Our transformation works in the full 
information model, in the presence of either static or adaptive Byzantine faults. 

In particular, our result implies that for any such poly(n)-round distributed protocol which 
generates outputs in a universe of size poly(n), long messages are not needed, and messages of 
length polylog(n) suffice. In other words, in this regime, any distributed task that can be solved in 
the COCAC model, can also be solved in the COJ\fQ£ST model with the same round complexity 
and security guarantees. 

As a corollary, we conclude that for any poly(n)-round collective coin-flipping protocol, leader 
election protocol, or selection protocols, messages of length polylog(n) suffice (in the presence of 
either static or adaptive Byzantine faults). 
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1 Introduction 


In classical algorithmic design the goal is to design efficient algorithms, where the common com¬ 
plexity measures are time and space. In distributed algorithms, where a set of parties tries to 
perform a predefined task, there are more parameters of interest, such as round complexity, message 
complexity, fault-tolerance, and more. 

These measures have been studied in the literature under two main models: COCAC and 
CONGEST [PelOO]. The COCAC model is aimed at studying “localized” executions of distributed 
protocols, and thus, messages of unlimited size are allowed. The CONGEST model is geared to¬ 
wards understanding the effect of congestion in the network, and thus, messages of poly-logarithmic 
size (in the number of parties) are allowed.^ 

Most of the work in distributed computing assumes one of the models above and focuses on 
optimizing resources such as round complexity, message complexity and fault-tolerance. We initiate 
the study of the following question: 

Is there a generic way to transform protocols in the COCAC model to protocols in the CONGEST 

model, without negatively affecting the round complexity, fault-tolerance and other resources? 

We give a positive answer to this question for protocols in which parties do not have private inputs, 
without incurring any cost to the round complexity or the resilience to errors. More details follow. 

Our model. In this work, our focus is on the synchronous, full information model. Namely, we 
consider a distributed model in which n parties are trying to perform a predefined task. Each 
party is equipped with a source of private randomness and a unique ID. We assume the existence 
of a global counter which synchronizes parties in between rounds, but the parties are asynchronous 
within each round. The goal is to fulfill the task even in the presence of Byzantine faults. In the 
full information model no restrictions are made on the computational power of the faulty parties or 
the information available to them. Namely, the faulty parties may be infinitely powerful, and we do 
not assume the existence of private channels connecting pairs of honest parties. 

We model faulty parties by a computationally unbounded adversary who controls a subset of 
parties and whose aim is to bias the output of the protocol. We assume that the adversary has 
access to the entire transcript of the protocol, and once a party is corrupted, the adversary gains 
complete control over the party and can send any messages on its behalf, and the messages can 
depend on the entire transcript so far. In addition, we allow our adversary to be “rushing”, i.e., it 
can schedule the delivery of the messages within each round. We consider two classes of adversaries: 
static and adaptive. A static adversary is an adversary that chooses which parties to corrupt ahead 
of time, before the protocol begins. An adaptive adversary, on the other hand, is allowed to choose 
which parties to corrupt adaptively in the course of the protocol as a function of the messages seen 
so far. 

The focus of this work, is on protocols in which parties do not have private inputs. Many classical 
distributed tasks fall in this category, including collective coin-flipping, leader election, selection and 
more. 

A concrete motivation: adaptively-secure coin-flipping. An important distributed task that 
was extensively studied in the full information model, is that of collective coin-flipping. In this 
problem, a set of n parties use private randomness and are required to generate a common random 
bit. The goal of the parties is to jointly output a somewhat uniform bit even in the case that some 

^We note that often the term CONGEST is a short-hand writing for CONG£ST{B), where B is a bandwidth 
constraint. In many cases, the convention is to set B to be bounded by 0(log n), where n is the number of parties. Here, 
we take a more liberal interpretation, which allows for messages of size bounded by polylog(n) (see e.g., [SMPU15]). 
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of the parties are faulty and controlled by a static (resp. adaptive) adversary whose goal is to bias 
the output of the protocol in some direction. 

This problem was first formulated and studied by Ben-Or and Linial [BL85]. In the case of 
static adversaries, collective coin-flipping is well studied and almost matching upper and lower 
bounds are known [Fei99, RSZ02], whereas the case of adaptive adversaries has received much less 
attention. Ben-Or and Linial [BL85] showed that the majority protocol (in which each party sends 
a uniformly random bit and the output of the protocol is the majority of the bits sent) is resilient to 
©(-y/n) adaptive corruptions. Furthermore, they conjectured that this protocol is optimal, that is, 
they conjectured that any coin-flipping protocol is resilient to at most 0{y/n) adaptive corruptions. 
Shortly afterwards, Lichtenstein, Linial and Saks [LLS89] proved the conjecture for protocols in 
which each party is allowed to send only one bit. Very recently, Goldwasser, Kalai and Park [GKP15] 
proved a different special-case of the aforementioned conjecture: any symmetric (many-bit) one- 
round collective coin-flipping protocol^ is resilient to at most 0{^/n) adaptive corruptions. Despite 
all this effort, proving a general lower bound, or constructing a collective coin-flipping protocol that 
is resilient to at least adaptive corruptions, remains an intriguing open problem. 

The result of [LLS89] suggests that when seeking for a collective coin-flipping protocol that is 
resilient to at least w(y/re) adaptive corruptions, to focus on protocols that consist of many commu¬ 
nication rounds, or protocols in which parties send long messages. Our main result (Theorem 1.1) is 
that long messages are not needed in adaptively secure coin-flipping protocols with poly(n) rounds, 
and messages of length polylog(n) suffice. This is true more generally for leader election protocols, 
and for selection protocols where the output comes from a universe of size at most quasi-polynomial 
in n. 


1.1 Our Results 

Our main result is that “long” messages are not needed for distributed tasks in which parties do not 
have private inputs. More specifically, we show how to convert any n-party d-round protocol, where 
parties do not have private inputs, and whose output comes from a universe of size M, into a d-round 
protocol, with the same communication pattern, the same output distribution, the same security 
guarantees, and where each message is of length polylog(M, n, d). Note that for many well studied 
distributed tasks, such as coin-flipping, leader election, and more, the output is from a universe of 
size at most poly(ri), in which case our result says that if we consider poly(n)-round protocols, then 
messages of length polylog(n) suffice. 

Our results in more detail. Formally, we say that a protocol LI, in which parties do not have 
private inputs, is {t, 6, s)-statically (resp., adaptively) seeure if for any adversary A that statically 
(resp., adaptively) corrupts at most t = t{n) parties, and any subset S of the output universe such 
that IS"! = s, it holds that 


Pr [Output of M(n) G S] 


Pr [Output of n G 5] 


<- 5 , 


where “Output of M(n)” means the output of the protocol when executed in the presence of the 
adversary A, “Output of B” means the output of the protocol when executed honestly, and the 
probabilities are taken over the internal randomness of the parties. In addition, we say that a 
protocol n simulates a protocol LI' if the outcomes of the protocols are statistically close (when 
executed honestly) and their communication patterns are the same. 

^A symmetric protocol 11 is one that is oblivious to the order of its inputs: namely, for any permutation tt : [«.]—>■ [n] 
of the parties, it holds that Ilfri,... ,rn) = n(r^(i),... ,r.,r(n))- 


2 





Our main result is a generic communication compression theorem which, roughly speaking, states 
that (t, (5, s)-statically (resp., adaptively) secure protocols in the above model do not need “long” 
messages. Namely, we show that any secure protocol which sends arbitrary long messages can be 
simulated by a protocol which is almost as secure and sends short messages. 

Theorem 1.1 (Main theorem — informal). Any (t, 5, s)-statically (resp., adaptively) secure d-round 
protocol that outputs m bits (or more generally, has an output universe of size 2'^), can he simulated 
by a d-round {t, 5',s)-statically (resp., adaptively) secure protocol, where 5' = 5 + negl(n), and in 
which parties send random messages of length at most m ■ polylog(n, d). 

Our results can also be seen as a transformation of protocols (in which parties do not have 
private inputs) in the COCAC model to protocols in the COMGSST model, as discussed above. 
Our main theorem (Theorem 1.1) implies that any task, whose output consists of at most polylog(n) 
bits, and in which parties do not have private inputs, that can be solved in the COCAC model with 
d < poly(n) rounds, can also be solved in the COMQSST model with d rounds. 

Corollary 1.2. Any n-party {t, 6, s)-statically (resp., adaptively) secure 'po\y{n)-round protocol that 
outputs polylog(n) bits in the COCAC model, can he simulated by a {t, 6', s)-statically (resp., adap¬ 
tively) secure protocol in the CONGEST model, where 6' = 6 + negl(n). 

We emphasize that our results holds for any underlying communication pattern including the 
broadcast channel or the message-passing model with any underlying communication graph. 

Finally, we note that the transformation in Theorem 1.1 preserves the computational efficiency 
of the honest parties, but the resulting protocol is non-uniform, even if the protocol we started with 
is uniform. We elaborate on this in Section 1.3. 

1.2 Related Work 

The resource of communication is central in several fields of computer science. The field of commu¬ 
nication complexity is devoted to the study of which problems can be solved with as little commu¬ 
nication as possible. We refer to the book of Kushilevitz and Nisan [KN97] for an introduction to 
the field. In cryptography, minimizing communication has been the focus of several works in several 
contexts, including private information retrieval [K097], random access memory machines [NNOl], 
and more. 

Interestingly, in the setting of distributed computing most of the work focuses on optimizing 
other resources such as round complexity, fault-tolerance, and the quality of the outcome. Very few 
works focus on optimizing the maximal message length being sent during the protocols. Moreover, 
most of the work in the literature focuses on static adversaries, and very few papers study distributed 
protocols with respect to adaptive adversaries. Our results hold in both settings. 

Finally, we mention that separations between the COCAC and CONGEST models are known for 
general tasks. For example, for network graphs of diameter D = 11 (log n), computing the minimum 
spanning tree (MST) in the COCAC model requires Q{D) rounds, whereas in the CONGCST model 
every distributed MST algorithm has round complexity Cl{D -\- y^/log^ n) [PROO]. 

1.3 Overview of Our Techniques 

In this section we provide a high-level overview of our main ideas and techniques. First, we observe 
that one can assume, without loss of generality, that any protocol in which parties do not have 
private inputs, can be transformed into a public-coin protocol, in which honest parties’ messages 
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consist only of random bits. This fact is a folklore, and for the sake of completeness we include a 
proof sketch of it in Section 4. 

Our main result is a generic transformation that converts any public-coin protocol, in which 
parties send arbitrarily long messages, into a protocol in which parties send messages of length 
m ■ polylog(re • d), where m is the number of bits the protocol outputs, n is the number of parties 
participating in the protocol, and d is the number of communication rounds. The resulting protocol 
simulates the original protocol, has the same round complexity and satisfies the same security 
guarantees. Next, we elaborate on how this transformation works. 

Suppose for simplicity that in our underlying protocol each message sent is of length L = L{n) 
(and thus the messages come from a universe of size 2^), and think of L as being very large. We 
convert any such protocol into a new protocol where each message consists of only £ bits, where 
think of i as being significantly smaller than L. This is done by a priori choosing 2^ messages within 
the 2'^-size universe, and restricting the parties to send messages from this restricted universe. Thus, 
now each message is of length which is supposedly significantly smaller than L. We note that 
a similar approach was taken in [New91] in the context of transforming public randomness into 
private randomness in communication complexity, in [GSIO] to reduce the number of random bits 
needed for property testers, and most recently in [GKP15] to prove a lower bound for coin-flipping 
protocols in the setting of strong adaptive adversaries. 

A priori, it may seem that such an approach is doomed to fail, since by restricting the honest 
parties to send messages from a small universe within the large 2^-size universe, we give the adversary 
a significant amount of information about future messages (especially in the multi-round case). 
Intuitively, the reason security is not compromised is that there are many possible restrictions, and 
it suffices to prove that a few (or only one) of these restrictions is secure. In other words, very 
loosely speaking, since we believe that most of the bits sent by honest parties are not “sensitive”, 
we believe that it is safe to post some information about each message ahead of time. 

For the sake of simplicity, in this overview we focus on static adversaries, and to simplify matters 
even further, we assume the adversary always corrupts the first t parties. This simplified setting 
already captures the high-level intuition behind our security proof in Section 3. 

Let us first consider one-round protocols. Note that for one-round protocols restricting the 
message space of honest parties does not affect security at all since we consider rushing adversaries, 
who may choose which messages to send based on the content of the messages sent by all honest 
parties in that round. Thus, reducing the length of messages is trivial in this case, assuming the set 
of parties that the adversary corrupts is predetermined. We mention that even in this extremely 
simplified setting, we need I to be linear in m for correctness (“simulation”), i.e., in order to ensure 
that the output is distributed correctly. 

Next, consider a multi-round protocol 11. We denote by H the restricted message space, i.e., 
H is a subset of the message universe of size 2^, and denote by liu the protocol 11, where the 
messages are restricted to the set H. Suppose that for any set H there exists an adversary that 
biases the outcome of IIj;/, say towards 0.^ We show that in this case there exists an adversary A 
in the underlying protocol that biases the outcome towards 0. Loosely speaking, at each step 
the adversary A will simulate one of the adversaries A^. More specifically, at any point in the 
underlying protocol, the adversary will randomly choose a set H such that the transcript so far is 
consistent with a run of protocol Il/f with the adversary A^, and will simulate the adversary A^. 
The main difficulty is to show that with high probability there exists such H (i.e., the remaining 
set of consistent H’s is non-empty). This follows from a counting argument and basic probability 

^Of course, it may be that for different sets H, the adversary biases the outcome to a different value. For 
simplicity we assume here that all the adversaries bias the outcome towards a fixed message, which we denote by 0. 
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analysis. 

In our actual construction, we have a distinct set H of size 2^ corresponding to each message of 
the protocol. Thus, if the underlying protocol IT has d rounds, and all the parties send a message 
in each round, then the resulting (short-message) protocol is associated with d ■ n sets Hi,, Hd-n 
each of size 2^, where the message of the party in the round is restricted to be in the set Hij. 

We denote all these sets by a matrix H S ({0, ^ where the row {i,j) of H corresponds to 

the set of messages that the party can send during the round. 

Note that there are 2^'^ such matrices. Each time an honest party sends a uniformly random 
message in 11 it reduces the set of consistent matrices by approximately a 2^-factor (with high 
probability). Any time the adversary A sends a message, it also reduces the set of consistent 
matrices H, since his message is consistent only with some of the adversaries , but again a 
probabilistic argument can be used to claim that it does not reduce the set of matrices by too 
much, and hence, with high probability there always exist matrices H that are consistent with the 
transcript so far. 

We briefly mention that the analysis in the case of adaptive corruptions follows the same outline 
presented above. One complication is that the mere decision of whether to corrupt or not reduces 
the set of consistent matrices H. Nevertheless, we argue that many consistent matrices remain. 

We emphasize that the above is an over-simplification of our ideas, and the actual proof is more 
complex. We refer to Section 3 for more details. 

2 Preliminaries 

In this section we present the notation and basic definitions that are used in this work. For an 
integer n £ N we denote by [n] the set {1,... ,n}. For a distribution X we denote hy x <— X the 
process of sampling a value x from the distribution X. Similarly, for a set X we denote hy x ^ X 
the process of sampling a value x from the uniform distribution over X. Unless explicitly stated, 
we assume that the underlying probability distribution in our equations is the uniform distribution 
over the appropriate set. We let denote the uniform distribution over {0,1}^. We use logx to 
denote a logarithm in base 2. 

A function negl: N —)■ M is said to be negligible if for every constant c > 0 there exists an integer 
Nc such that negl(n) < n~^ for all n > Nc. 

The statistical distance between two random variables X and Y over a finite domain P is defined 
as 

SD(A,y) 4 1 ^ |Pr[A = cu] - Pr[y = a;]| . (2.1) 


The Model 

The communication model and distributed tasks. We consider the synchronous model where 
a set of n parties Pi,..., run protocols. Each protocol consists of rounds in which parties send 
messages. We assume the existence of a global counter which synchronizes parties in between rounds 
(but they are asynchronous within a round). 

The focus of this work is on tasks where parties do not have any private inputs. Examples of 
such tasks are coin-flipping protocols, leader election protocols, Byzantine agreement protocols, etc. 
Throughout this paper, we restrict ourselves to public-coin protocols. 

Definition 2.1 (Public-coin protocols). A protocol is public-coin if all honest parties’ messages 
consist only of uniform random bits. 
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Jumping ahead, we consider adversaries in the full information model. In Section 4 we argue 
that the restriction to public-coin protocols is without loss of generality since in the full information 
model any protocol (in which parties do not have private inputs) can be converted into a public- 
coin one, without increasing the round complexity and without degrading security (though this 
transformation may significantly increase the communication complexity). 

The adversarial model. We consider the full information model where it is assumed the adversary 
is all powerful, and may see the entire transcript of the protocol. The most common adversarial 
model considered in the literature is the Byzantine model, where a bound t = t{n) < n is specified, 
and the adversary is allowed to corrupt up to t parties. The adversary can see the entire transcript, 
has full control over all the corrupted parties, and can send any messages on their behalf. Moreover, 
the adversary has control over the order of the messages sent within each round of the protocol.'^ 
We focus on the Byzantine model throughout this work. 

Within this model, two types of adversaries were considered in the literature: static adversaries, 
who need to specify the parties they corrupt before the protocol begins, and adaptive adversaries, 
who can corrupt the parties adaptively based on the transcript so far. Our results hold for both 
types of adversaries. Throughout this work, we focus on the adaptive setting, since the proof is 
more complicated in this setting. In Subsection 3.3 we mention how to modify (and simplify) the 
proof for the static setting. 

Correctness and security. For any protocol 11 and any adversary A, we denote by 

out(.4n I ri,...,r„) 

the output of the protocol 11 when executed with the adversary A, and where each honest party Pj 
uses randomness r^. 

Let n be a protocol whose output is a string in {0,1}”^ for some m G N. Loosely speaking, 
we say that an adversary is “successful” if he manages to bias the output of the protocol to his 
advantage. More specifically, we say that an adversary is “successful” if he chooses a predetermined 
subset M C {0,1}”^ of some size s, and succeeds in biasing the outcome towards the set M. To this 
end, for any set size s, we define 

succs(.4.n) max succM(.4.n) 

MC{0,1}"* S.t. \M\=s 

= max ( Pr [out(.An | B,..., r„) G M] - Pr [outn(ri,..., r„) G M] ) , 

MC{0,1}"* S.t. |M|=s V'l’---’''" 1 - 1 ,....rn / 

where outn(ri,..., r„) denotes the outcome of the protocol 11 if all the parties are honest, and use 
randomness ri ,..., . 

Intuitively, the reason we parameterize over the set size s is that we may hope for different 
values of succM(-4n) for sets M of different sizes, since for a large set M it is often the case that 

Pi'ri,...,r„ [outn(ri,..., r„) G M] is large, and hence succM(-4n) is inevitably small, whereas for small 

sets M the value succM(-4n) may be large. 

For example, for coin-flipping protocols (where m = 1 and the outcome is a uniformly random 
bit in the case that all parties are honest), often an adversary is considered successful if it biases 
the outcome to his preferred bit with probability close to 1 , and hence an adversary is considered 
successful if succM(-4n) > ^ — o(l) for either M = {0} or M = {!}, whereas for general selection 
protocols (where m is a parameter) one often considers subsets M C {0,1}™' of size 7 • 2"* for some 
constant 7 > 0 , and an adversary is considered successful if there exists a constant J > 0 such that 
succM(-4n) > S. 

'*Such an adversary is often referred to as “rushing”. 
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Definition 2.2 (Security). Fix any constant (^ > 0, any t = t{n) < n, and any n-party protocol 
n whose output is an element in {0,1}™'. Fix any s = s{m). We say that IT is {t, 6, s)-adaptively 
secure if for any adversary A that adaptively corrupts up to t = t{n) parties, it holds that 

sucCs(.An) < d. 

We note that this definition generalizes the standard security definition for coin-flipping protocols 
and selection protocols. We emphasize that our results are quite robust to the specific security 
definition that we consider, and we could have used alternative definitions as well. Intuitively, the 
reason is that we show how to transform any d-round protocol FI into another d-round protocol with 
short messages, that simulates FI (see Definition 2.3 below), where this transformation is independent 
of the security definition. Then, in order to prove that the resulting protocol is as secure as the 
original protocol 11, we show that if there exists an adversary for the short protocol that manages to 
break security according to some definition, then there exists an adversary for 11 that “simulates” 
the adversary of the short protocol and breaches security in the same way. (See Section 1.3 for more 
details, and Section 3 for the formal argument). 

Finally, we mention that an analogous definition to Definition 2.2 can be given for static adver¬ 
saries. Our results hold for the static definition as well. 

Definition 2.3 (Simulation). Let 11 be an n-party protocol with outputs in {0,1}™. We say that 
an n-party protocol 11' simulates 11 if 

SD (outn, outnO = negl(n), 

where outn is a random variable that corresponds to the output of protocol 11 assuming all parties 
are honest, and outn' is a random variable that corresponds to the output of protocol 11' assuming 
all parties are honest. 

Probabilistic Tools 

In the analysis we will use the following simple claims. 

Claim 2.4. Let A:,M S N 6e two integers. Let U C {0,1}^ and f: Lf ^ [M]. For every i € [M], 
denote by 

ai = Pr [/(n) = i ]. 
u<—U 

Then, 


E 


[o^/fn)] 



and for any e > 0, 


Pr 

u<-U 





> 1 - e. 


Proof. We begin with the proof of the first part. By the definition of expectation 

M M 

E [«/w] = • P n = "*] - • 

u£U i=l i=l 


7 




This, together with the the Cauchy-Schwarz inequality, implies that 


E 

u-i^U 


M 

[«/(«)] > ^ Cki = 

2=1 




where the last equality follows from the fact that at = 1. 

For the second part, let 


Then, 


B = 


Pr 

u<^U 


^f(u) < 


Ml 


ieB 


as desired, where the hrst inequality follows from the union bound and the definition of Oj, the 
second inequality follows from the definition of B, and the third inequality follows from the fact 
that l-Bl < M. ■ 


Definition 2.5 (Entropy). Let X be a random variable with finite support. The (Shannon) entropy 
of X is defined as 


entropy(X) = V Pr[X = x] • log -r = E 

Pr[X = x 

xGsupp{X) 


log 


1 


Pr[X = x] 


Claim 2.6. Let X be a random variable with domain {0,1}^. //entropy(X) > k — e, then 


SD(X,Ufc) < 


where Ufc is the uniform distribution over k bits, and where SD(X, Ufc) denotes the statistical dis¬ 
tance between X andTJ^ (see Equation (2.1) for the definition of statistical distance). 


Proof. The relative entropy (a.k.a. the Kullback-Leibler divergence) between two distributions 
T>i,T >2 Q {0,1}^ is dehned as 

E>kl{Vi\\V2) = 

a;G{ 0 ,l}'= 

A well known relation between relative entropy and the statistical distance is known as Pinsker’s 
inequality which states that for any two distributions 'Di,T >2 as above, it holds that 



SD(Pi,p2) < 


In 2 


Dkl(2?i||2?2). 


( 2 . 2 ) 












Thus, it remains to bound the relative entropy of X and Ufc. Let px = Pr^^giQ [X = x\. We 
get that 

DKL(X||Ufc)= ^ p, • log (p, • 2^=) 
xe{o,i}* 

= Px - (log(Px) + k) 

xGlO,!}* 

= —entropy(X) + k. 

Since entropy(X) > k — £, we get that 

DKL(X||Ufc) <-k + s + k = e. 

Plugging this into Pinsker’s inequality (see Equation (2.2)), we get that 

SD(X,un < \/5^< y|. 


3 Compressing Communication in Distributed Protocols 

In this section we show how to transform any n-party d-round t-adaptively secure public-coin 
protocol, that outputs messages of length m and sends messages of length L, into an n-party 
d-round t-adaptively secure public-coin protocol in which every party sends messages of length 
i = m ■ polylog(n, d). 

Throughout this section, we fix p* to be the negligible function defined by 

fi* = p*{n, d) = -I- 1 — (1 — • 2dn, (3.1) 

and where e = 

Theorem 3.1. Fix any m = m{n), d = d{n), L = L{n), and any n-party d-round public-coin 
protocol n that outputs messages in {0,1}™ and in which all parties send messages of length L = 
L{n). Then, for any constant d > 0, any t = t{n) < n, and any s = s{m), if H is {t,5,s)- 
adaptively secure then there exists an n-party d-round {t, 5', s)-adaptively secure public-coin protocol, 
that simulates 11 , where all parties send messages of length i = m- log^(n • d), and where 5' < 5 -\- p* 
(and p* = p*{n,d) is the negligible function defined in Equation (3.1)J. 

Proof. Fix any m = m{n), d = d{n), L = L{n), and any n-party d-round public-coin protocol 11 
that outputs messages in {0,1}”* and in which all parties send messages of length L = L{n). Fix 
any constant d > 0 , any t = t{n) < n, and any s = s{m) such that 11 is (t, d, s)-adaptively secure. 
We start by describing the construction of the (short message) protocol. Let 

iV = 2 ^ = (3.2) 


Let 

^ = (FT : [d • n] X (0,1}^ ^ {0,1}^} 
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be the set all possible [d-n] x {0,1}^ = [d-n]x [A^] matrices, whose elements are from {0,1}^. Note 
that 1^1 = We often interpret H : [d- n] x {0,1}^ ^ {0,1}^ as a function 

H :[d\x [n] X {0,1}^ ^ {0,1}-^, 

or as a matrix where each row is described by a pair from [d] x [n]. We abuse notation and denote 
by 

H{i,j,r) = H{{i - l)n + j,r). 

As a convention, we denote by R a message from {0,1}^ and by r and a message from {0,1}^. 

From now on, we assume for the sake of simplicity of notation, that in protocol IT, in each round, 
all the parties send a message. Recall that we also assume for the sake of simplicity (and without 
loss of generality) that 11 is a public-coin protocol (see Definition 2.1). For any id E we define a 
protocol Hh that simulates the execution of the protocol IT, as follows. 

The Protocol 11//. In the protocol FI//, for every i S [d] and j G [n], in the round, party Pj 
sends a random string rjj {0,1}^. We denote the resulting transcript in round i by 

Trans//,* = (ri, ..., ri,n) e ({0,1}^) , 

and denote the entire transcript by 

Trans/z = (Trans//_i..., Trans//^d)- 
We abuse notation, and define for every round i G [d], 

id(Trans//,i) = (id(z, 1, r^^),..., id(i, n, r^^n)). 


Similarly, we define 

id(Trans//) = (id(Trans//,i)..., id(Trans//,rf)). 

The outcome of protocol FI// with transcript Trans// is dehned to be the outcome of protocol 11 with 
transcript id(Trans//). 

It is easy to see that the round complexity of 11// (for every id G di) is the same as that of IT. 
Moreover, we note that with some complication in notation we could have also preserved the exact 
communication pattern (instead of assuming that in each round all parties send a message). 

In order to prove Theorem 1.1 it suffices to prove the following two lemmas. 

\'H.\ 

Lemma 3.2. There exists a subset TLq TTL of size such that for every matrix H G TLq it holds 
that IT// is {t, 6', s)-adaptively secure for 5' = 6 + fi*, where fi* is the negligible function defined in 
Equation (3.1). 

Lemma 3.3. There exists a negligible function fi = fi{n, d) such that, 

/^Pr^[SD(outn^,outn) 

Indeed, given Lemmas 3.2 and 3.3, we obtain that there exists an id G "H such that IT// is 
(t, d', s)-adaptively secure and it simulates 11. ■ 

In Section 3.1 we give the proof of Lemma 3.3 and in Section 3.2 we give the proof of Lemma 3.2. 
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3.1 Proof of Lemma 3.3 


By the definition of statistical distance, in order to prove Lemma 3.3 it suffices to prove that there 
exists a negligible function /r = //(n, d) such that, 


Note that 


Pr 

H^n 


Pr 

H^n 


Mz G {0,1}™, |Pr[outnj, = z\- Pr[outn = z]\ < ^ 


2 

> 

“ 3 


Vz G {0,1}"*, |Pr[outn^ = z] - Pr[outn = 2]| < 




1 - [3^ e {0,1}™, |Pr[outn^ =z\- Pr[outn = z\\> ^ 


> 


1 - Pr |Pr[outn^ = z]- Pr[outn = z]\> 


L 

2e{0,i}"* 

Therefore, it suffices to prove that there exists a negligible function ^ such that for every z G {0, 1}^, 


Pr 


|Pr[outn^ =z]- Pr[outn = zjj > ^ 


< 


1 


3 • 2^‘ 


To this end, for any z G {0,1}™', we denote by = Pr[outn = z] and = Pr[outn^ = z]. 
Using this notation, it suffices to prove that there exists a negligible function p such that for every 
2G{0,1}™, 


Pr 


\Pz,H-Pz\ > 


< 


1 

3^^ 


For any H £ Ti, consider the experiment, where we run the protocol Hh independently B = 
2™'i°g times, and check how many times the output is z. Denote by Xi,... ,Xb the identically 
distributed random variables, where Xj = 1 if in the run of the protocol the outcome is z, and 
Xj = 0 otherwise. The Chernoff bound^ implies that for every H £71 and for every 7 > 0, 


Pr 


B 




i - Pz,H 


i=l 


> 7 


< e 


In particular, setting 7 = 2 -we deduce that 


Pr 


B 


B 




Pz,H 


i=l 


> 7 


< e 


_ 2^m-\og (nd) 


(3.3) 


We next define random variables li,..., Yb as follows: We run the protocol 11 independently B 
times, and we set 1} = 1 if in the run the outcome is 2 , and otherwise we set Y) = 0. We note 
that the same argument used to deduce Equation (3.3) can be used to deduce that 


Pr 


1 ^ 


2 = 1 


> 7 


< e 


_ 2Tn-log (nd) 


(3.4) 


^The Chernoff bound states that for any identical and independent random variables Xi ,... ,Xb, such that Xi G 
{ 0 , 1 } for each i, if we denote by p = E[W] then Pr[|-^ Ni — p| > <5] < . 
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Note that 


Pr -Pz\> ^l]< 

B 


Pr 


Pr 


Pz,H 


1 

'b 


2=1 


+ 


B B 

iE^.-iE^. 

2=1 2=1 


+ 


B 


B 




■Pz 


2=1 


> 47 


< 


B 


pz,h-^J2^-^ 


2 • e 


_2'^'log {nd) 


2=1 


+ Pr 


> 7 


+ Pr 

B B 

> 27 

+ Pr 

1 ^ 

> 7 


2=1 2=1 

s 1 



2=1 

- 


< 




B 


> 27 


Pr 


> 27 


< 




2=1 2=1 

where the first inequality follows from the triangle inequality, the second inequality follows from the 
union bound, and the third inequality follows from Equations ( 3 . 3 ) and ( 3 . 4 ). Thus, it suffices to 
prove that there exists a negligible function /x = /i(n, d) such that 

B B 

2 = 1 2 = 1 

To this end, notice that for a random 2 d ■(— "H, 

SD((Xi,...,Xs),(Ti,...,Yb))< 

B 

^SD((Xi,...,x,_i,x,,y,+i,...,yB),(Xi , . . . , ^ 2 —1 ? ^ ? ^+1; ■ ■ ■ ) Ps)) = 

2=1 
B 




2=1 




Nnd 


B^ ■ nd 

-< 

N - 

22mlog3(nd) . 

2 m log^(nd) 
2—mlog^{nd) 


< 


where the first equation follows from a standard hybrid argument. The second equation follows from 
the fact that Ti+i,..., Yb are independent of Xi,..., Xi,Yi. The third equation follows from the 
fact that the statistical distance between {Xi ,..., Xi-i,Xi) and (Yi,..., Yi-i, T)) is maximal for 
i = B. The forth equation follows from the fact that {Xi ,..., Xb-i, Ys) and {Xi ,..., Xb-i-,Yb) 
are identically distributed if the following event, which we denote by Good, occurs: Recall that 
each Xi depends only on nd random coordinates of dd ^ We say that Good occurs if the nd 
coordinates that Xb depends on are disjoint from all the nd{B — 1) coordinates that Xi,... ,Xb-i 
depend on. The forth equation follows from the fact that Pr[-iGood] 
equations follow from basic arithmetics and from the definition of B and N. 

In particular, this implies that 

S'’ f (1 E ■ (1 E ’'■) ) S (3.5) 
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Consider the algorithm V that given snpposedly distributed according to 
tributed according to Ylf=i outputs 1 if \p'^ — pz\ < 7 , and otherwise outputs 0. Equation (3.4) 
implies that 


Pr 


1 


B 




2=1 


> 1 - e 


_2‘^'loS {nd) 


This together with Equation (3.5), implies that 

B \ 


Pr 




B 


2=1 


^ I _ _ 2-mlog®(nrf) > 


which by the definition of P, implies that 

B 


Pr 


This, in particular, implies that 




Pz 


2=1 


< 7 


^ _ 2 ~"* 


Pr 


B B 

iE^.-iE>'. 


i=l 


i=l 


< 27 


y I _ 2.2 -™l°g^(’^'^) 


as desired. 


3.2 Proof of Lemma 3.2 

I'Hl 

Assume towards contradiction that for every set T-Lq C "H of size ^ there exists H E T-Lq such that 
Bh is not {t, 6', s)-adaptively secure, for d' = <5 + p*. This implies that there exists a set Bo CBoi 
size ^ such that for every H S Bo there exists an adversary that adaptively corrupts at most t 
parties and satisfies 

sucCs((.A^)n^) > 6 '. 

This, in turn, implies that there exists a set M C {0,1}™ of size s > 0 such that for at least 
l/(^^ )-fraction of the H's in Bo the adversary satisfies that succm((-4.'^)j^^) > 5'. We denote 
this set of H's by Bi. Notice that 


l^il > 



m 

2 • (T) 


^ 1^1 _ r,dnNL-2^ 
- 22 "“ 


(3.6) 


The proof proceeds as follows: we show how to use these adversaries {A^}h&'Hi to construct an 
adversary A such that 

succM(-4.n) > S' — p*/2 = 6 + p* — p*/2 > 6, 

contradicting the {t, 5, s)-adaptive security of If. 

The idea is for the adversary A to simulate the execution of one of the ^^’s. The problem is 
that we do not know ahead of time which H will be consistent with the transcript of the protocol, 
since we have no control over the (long) random messages of the honest parties. We overcome this 
problem by choosing H adaptively. Namely, at any point in the protocol, A simulates a random 
adversary A^, where if is a random matrix that is consistent (in some sense that we explain later) 
with the transcript up to that point. 
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More specifically, for every i G [d] and every j G [n], we denote by "Hij-i the set of matrices that 
are consistent with the transcript up until the point where the message of the round is about 
to be sent. Fix any round i G [d] and any j G [n]. Roughly speaking, in the round before the 
message is to be sent, the adversary A simulates A^* where H* •(— 'Rij-i is chosen uniformly at 
random. If A^* corrupts a party then A also corrupts P^. If A^* sends a message r* on behalf 
of a corrupted party P^, then A will send the message R* = r*) on behalf of party P„. In 

this case, we define Tiij to be all the matrices in which are consistent with the transcript 

so far and agree with H* on row (i,u). If A^ asks an honest party P„ to send its message, the 
adversary A will also ask honest party P^ to send a message. Upon receiving a message R* from 
Pu, we choose a random matrix H ■(— T-Lij-i that is consistent with the transcript so far, and set 
T-Li^j to be all the matrices in T-Lij-i that are consistent with the transcript so far, and where we fix 
the {i,u) row to be the {i,u) row of H. 

Before giving the precise description of the adversary A, we provide some useful notation. We 
denote the transcript generated in an execution of the protocol 11 with an adversary A by Trans^. 
Note that Trans^ consists of d vectors (one per each round), where each vector consists of n pairs 
of the form 


((^il ) ^l)) • • • ! 

where Ri,... R^ G {0,1}^ and ji,... ,jn S where the order means that in this round party 
Pjj sent his message hrst, then party Pjj sent his message, and so on (recall that in our model, 
the adversary has control over the scheduling of the messages within each round). We sometimes 
consider a partial transcript Transjj- (i.e., a prefix of a transcript) which corresponds to a partial 
execution of the protocol 11 with the adversary A until after the message in the round was 
sent. For H ^71, we denote by 

MAPh : [d] X [n] x {0,1}^ ^ {0,1}^ U {±} 

the mapping that takes as input a row number {i,j) ^ ^ N a (long) message in R G {0,1}^, 

and converts it into a (short) message r G {0,1}^ such that H{i,j, r) = R. If no such message exists, 
MAP/f outputs _L. 

Let Transjj be a (long) partial transcript of 11. The corresponding (short) transcript of 11//, 
denoted by MAP//(TranSjj), is defined recursively, as follows. Let Trans/j = (Transjj_i, (P^, R)). 
Then, 


MAP//(TranSij) = (MAP//(TranSij_i), (P„, MAP//(f, tt, R))). 

We initialize Transi^o = 0 and Tdifi = Tii- Using this notation, a formal description of the adversary 
A is given in Figure 1. 

In order to prove Lemma 3.2 (and thus to complete the proof of Theorem 1.1), it suffices to 
prove the following lemma. 

Lemma 3.4. The adversary A makes at most t adaptively-chosen corruptions, and succM(.4n) > 
6 ' - 

Proof. We first note that A always makes at most t corruptions. This follows from the fact that A 
is always consistent with some adversary A^, for some H G TLi (or else A aborts), and by our 
assumption, every A^ makes at most t corruptions. 
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The adversary >t(TranSi,j_i) before the message of round i 

1. If T-Lij-i = 0, output _L and HALT. 

2. Choose H* •(— uniformly at random. Let Trans//* = MAP//*(Transij_i) denote the 

(short) transcript in the protocol H//* that corresponds to the (long) transcript Transjj_i. 

3. If (Trans//*) corrupts a party then corrupt P^. 

4. If A^ (Trans//*) sends a message on behalf of a corrupt party P^, then do the following: 

(a) Denote by r* E {0,1}^ the message that (Trans//*) sends on behalf of P„. Let 
R* = 

(b) Send the message R* on behalf of party P„. 

(c) Add (P„, R*) to the partial transcript. Namely, set 

Transjj = (Trans/j.i, (P„, R*)). 

(d) Define "H/j to be the set of all H E T-Lij-i that are consistent with the transcript so far, 
and for which H{i, u, •) = H*{i, u, •). Namely, set 

= {H eTiij-i I Vr: H{i,u,r) = H*(i, u, r), and 

(Trans//) sends r* on behalf of P„, 
where Trans// = MAP//(TranSjj_i)}. 

5. If (Trans//*) does not corrupt, and orders an honest party P„ to send a message, then do 
the following: 

(a) Do not corrupt, and order honest party P„ to send a message. Denote the message it 
sends by R*. 

(b) Add (P„, R*) to the partial transcript. Namely, set 

Trans/j = (Trans/j-i, (P„, R*)). 

(c) Choose a random matrix 

H' ■<— {H E T-Lij-i I (Trans//) orders honest P^ to send a message, and 
3r s.t. H{i, u, r) = R*}. 

(d) Define Tiij to be the set of all H E Tiij-i that are consistent with the transcript so far, 
and agree with H' on row {i,u). That is, 

T-Lij = {H E T-Lij-i I Vr: H{i,u,r) = and 

(Trans//) orders honest P^ to send a message}. 

6 . If j = n, set ^j+ 1,0 = "Hij and Transj+go = Trans/j. 

Figure 1: The adversary A before the j**' message of round i. 
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We next prove that succM(-4n) > S' — n*/2. Recall that we denote by Trans^^ the random 
variable that corresponds to the transcript generated by running the protocol 11 with the adversary A 
(described in Figure 1). 

Let Transideai be an “ideal” transcript, generated as follows: Choose a random H ■(— T-Li, run the 
protocol Hh with the adversary A^. Denote the resulting transcript by Trans//. As above, Transj/ 
consists of d vectors (one per each round), where each vector consists of n pairs of the form 

((Ti ))•••) (Pjn Tn))) 

where ri,... G {0,1}^ and ji,... ,jn £ [n\- We define 

TranSideai = R'(Trans//) 

where Ff(Trans//) is the transcript obtained by applying u, •) to each element in the {i, row 
of Trans//. Formally, Ff(Transj/) is defined recursively, as follows: For every i G [d] and every j G [n], 
we let Trans//^jj denote the transcript Trans// up until after the message in the round is sent. 
We define Ff(Trans//,ij) recursively, as follows: For Trans//^jj = (Trans//^jj_i, (P„, r)), we define 

iL(Trans//,ij) = (iL(Trans//,ij_i), (P„, iL(/, u, r))). 

In order to prove Lemma 3.4 it suffices to prove the following claim. 

Claim 3.5. 


SD(Trans^,TranSideai) = IJ*/2, 

Proof. We prove Claim 3.5 using a hybrid argument. Specifically, we define a sequence of d- (n +1) 
experiments. For every i G [d] and every j G {0,1,...,n}, we define the experiment Exp^*’-^^ as 
follows: 

1. Generate Transjj and Tdij, as defined in Figure 1. 

2. Choose a random H •(— and let Trans//^ij = MAP//(TranSjj). 

3. Run the protocol 11// with the adversary A^, given the partial transcript Trans//^jj. Namely, 
run 11// with A^ from after the message in the round was sent, and assume the transcript 
up until that point is Trans/z^jj-. Denote the entire transcript (including Trans//^jj) by Trans//. 

4. Output Fl(Trans//). 

Notice that 


Exp(rf,n) ^ Trans^, 


and 

Exp(^’°) = Transideai- 

It remains to argue that for every i G [d] and every j G [n] the statistical distance between any 
two consecutive experiments Exp*-*’-^”^^ and Exp^*’-^^ is small. In particular, it suffices to prove that 

SD(Exp(*’^-i),Exp(*’^)) =^. (3.7) 
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The reason is that given this inequality, we obtain that 

SD(Trans^,Transideai) < ^ SD(Exp(*’^"^\ Exp^*’^)) < d • n • ^ = y, 

iG[d] jG[n] 

which completes the claim. We note that the first inequality follows from the union bound together 
with the fact that Exp^*’”^ = Exp^*'''^’^^ for every i £ [d — 1] (see Figure 1 Item 6). 


We proceed with the proof of Equation (3.7). To this end, fix any i G [d] and j G [n]. Let 
k = {i — 1) ■ d + j. Note that in both Exp*’-^”^ and Exp*’-^ the first k — 1 messages are generated 
according to Trans^^. 

Denote by corrupt;, the event that the k^^ message is sent by a corrupted party. We hrst argue 


that 


Pr 


corrupt;. I Exp 


(hi-i) 


= Pr 


corrupt;. I Exp 


ikj) 


This follows immediately from the dehnition of the two experiments. In Exp^*’-^^ (according to 
Figure 1, Items 2-4), before sending the k^^ message, a random function is chosen H* •(— T-Lij-i and 
the k^'°' message is sent by a corrupted party if and only if chooses the kA' message to be sent 
by a corrupted party (given the transcript so far). Note that in Exp^*’-^”^^, the same exact process 
occurs (see Items 2 to 4 at the beginning of the proof of Claim 3.5). 

We next argue 


SD ^^Exp*-*’-^ I corrupt;.^ , ^Exp^*’-^^ | corrupt^.^^ = 0. (3.8) 

To see why Equation (3.8) holds, note that according to Eigure 1 (see Items 2 to 4), the message 
in ^Exp^*’-^^ I corrupt;.^ is chosen by sampling a random matrix H* ^ T-Lij-i conditioned on the fact 

that the message sent in IIj^* with A^* is sent by a corrupted party. Denote this corrupted 
party by and denote by r* the message that A^ sends on behalf of P^. Then the message in 
Exphd) ig get to be H*{i, u,r*). Note that the message in Exp^*’-^”^^ is chosen in exactly the same 
way (see Items 2 to 4 at the beginning of the proof of Claim 3.5). Moreover, the distribution of the 
set Tiij in both cases is identical, which implies that the distributions of the rest of the messages in 

^Exp*-*’-^”^^ I corruptfc^ and in ^Exp*-*’-^^ | corrupt^^ are identical as well. 

It remains to prove that 


SD (^(^Exp(*’^ I ^corruptfc) , (^Exp^*’^) | ^corrupt^^^ = (3.9) 

Recall that in ^Exp^*’-^^ | -icorrupt^^ the message is uniformly distributed in {0,1}^. Denote 

by R' the message in ^Exp^*’-^”^^ | -icorrupt;.^. Recall that R' is distributed as follows: Choose 

a random H •(— Rij-i such that the adversary A (given the partial transcript MAP//(Transij_i)) 
orders an honest party P^, to send the message in the round. Choose a random r' •(— {0,1}^, 
and and set R' = H{i,u,r'). 

Notice that in order to prove Equation (3.9), it suffices to prove that 


SD(R',Ui) 


2dn 


(3.10) 
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Pr 




k-l 


Recall that we fixed e = 2 We argue that in order to prove Equation (3.10) it suffices 

to prove that, 

‘2dnNL 

yHi 7—1 1 ^- z —i— 

2{k-l)NL . . 22" 

where the probability is over the randomness of the honest parties. 

To this end, suppose that Equation (3.11) holds. Denote by E the event that 




^dnNL 


By Equation (3.11), 
Therefore, 


2(k-l)NL . . 22" 

Pr[E] > (1 


(3.11) 


(3.12) 


SD(R',Ul) < 

SD((R' I E), Ul) • Pr[E] + SD((R' | -E), U^) • PrhE] < 

SD((R' I E),UL) + PrhE] < 

SD((R' I E),UL) + l-(l-e)''“^ 

This, together with the dehnition of //* (see Equation (3.1)), implies that in order to prove Equa¬ 
tion (3.10) it suffices to prove that 


SD((R' I E),Ui) <^/E. 


This, together with Claim 2.6, implies that it suffices to prove that 

entropy(R' | E) > L — e. (3.13) 


To this end, let H ^ T-Lij-i. Then, 
entropy(i^ | E) > 

dnNL -{k- 1)NL - {k - l)(log 4niV) -(k-l) log ^ - 2^ = 

{dn — k + 1)NL — {k — 1) ^log 4riA^ + log — 2™, 

where the first inequality follows from Equation (3.12) together with the definition of entropy (see 
Definition 2.5), and the latter equality follows from basic arithmetics. 

For every a G [d] and every fd G [n], we denote by Row^^^g G {0,1}'^^ the random variable 
obtained by choosing a random matrix H ^ T-Lij-i, and setting Row^,/? to be the (a, /3)**^ row of H. 
Note that 

entropy(// | E) < entropy(Row^^^ | E) < entropy(Rowj^„ | E) -|- NL{dn — k), 

ae[rf],/ 9 G[n] 

where the first inequality follows from the basic property of Shannon entropy, that for any random 
variables X and Y, it holds that entropy(X, T) < entropy(X) -|-entropy(y), and the second equality 
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follows from the fact that A; — 1 of the rows in 'Hij-i are fixed. This, together with the equations 
above, implies that 

entropy(Rowj^u | E) > 

{dn — k + 1)A^L — (A: — 1) ^logdnA^ + log — 2™ — NL{dn — k) = 

NL — {k — 1) ^logdnA^ + log — 2™ = 

NL — {k — 1) (log AnN + log^{dn)) — 2"*. 


Recall that (R' \ E) is the random variable defined by choosing H ■(— 'Hij-i (where we assume 
that event E holds for Rij-i), choosing a random a •(— [N], and setting R' = H(i,u,a). Thus, 

entropy(R' | E) > 

NL-{k- l)(log4nA^ + log^{dn)) - 2^ _ 

N “ 

(A: — l)(log 4reA^ + log^(dre)) + 2™ 

Ij —- ^ 

N 

L — e, 

proving Equation (3.13), where the latter inequality follows from the definition of N (see Equa¬ 
tion (3.2)). 


It remains to prove Equation (3.11). We prove that Equation (3.11) holds for any {i,j) G 
[d] X {0,1,... , n}. The proof is by induction on k = (i — 1) ■ n + j■ The base case is A: = 0, which 
corresponds to (i,j) = (1,0). In this case, it is always holds that 

^dnNL 

= |Ri,o| = l^il > ^2^ ’ 

where the latter inequality follows from the definition of Ri (see Equation (3.6)). 

Next, assume that Equation (3.11) holds for A: — 1, and we prove that it holds for k. Eix i G [d] 
and j G [n] such that k = [i — 1) ■ nj. By the induction hypothesis. 


Pr 




-ydnNL 


2{k-l)NL . (^ AnN ^-^ . 22” 

We denote by E the event that indeed 

‘2dnNL 


>(l-e 


.fc-i 


\Ri,j-i\ > 


2{k-l)NL . . 22” 


Thus, by our induction hypothesis. 


Pr[E]>(l-e: 


,fc-i 


(3.14) 


In what follows, fix any Rij-i such that event E holds. Claim 2.4 (with U = Rij-i and 
M = 2^^ ■ AnN) implies that 


Pr 


lay. .1 > 

I I — 2 NL . AnN 


> 1 - e. 


19 












This, in turn, implies that 


as desired. 


Pr 


Pr 


Pr 


t^driNL 

{Hi j| > -r- 

2kNL . . 22 '" 


> 


idriNL 




2kNL . ynN y . 22 '" 


Pr[E] > 


2NL . 


AnN 


Pr[E] > 


(l-e).(l-6)^-1 = 


3.3 Static Adversaries 

We note that Theorem 3.1 holds also for static adversary. For completeness, we restate the theorem 
for static adversaries. 

Theorem 3.6. Fix any m = m{n), d = d{n), L = L{n), and any n-party d-round public-coin 
protocol n that outputs messages in {0,1}™ and in which all parties send messages of length L = 
L{n). Then, for any constant > 0, any t = t{n) < n, and any s = s{m), if H is {t,S,s)- 
statically secure then there exists an n-party d-round {t, 5', s)-statically secure public-coin protocol 
that simulates IT, where all parties send messages of length i = m- log^(n • d), and where 5' < 5 p,* 

(where p,* is the negligible function defined in Equation (3.1)j. 

The proof is almost identical to the proof of Theorem 3.1 except that in the static setting, the 
adversary A needs to decide which t parties to corrupt before the protocol begins. 

Recall that in the proof of Theorem 3.1, the adversary A simulates one of the adversaries A^. 
In the static setting, the adversary A will choose to corrupt the t parties that are consistent with 
as many A^ as possible. More specifically, recall that in the proof of Theorem 3.1 we defined TLi 
to be the set of all matrices H such that A^ tries to bias the outcome towards a specific set M. 
Recall that ^ 5 ^. 

In the static setting, for every H G TLi we denote by the set of parties that the adversary 
j^H corrupts. For every set T C [n] of size t let 

a{T) = \{H gUi-.T^ = r}| . 

We dehne 

T* = argmax{a(r)}, 

T 

and the adversary A corrupts the set of parties T*. We dehne TL'i GL Tli to consist of all the matrices 
H G TLi for which A^ corrupts the set of parties T*. Note that 

|H| 

1^11 — 2 ’’^ ~ 2 ^™' • 2 ”' 

The rest of the proof is similar to that of Theorem 3.1, except that the analysis is easier in the 
static setting, since the decision of who to corrupt has already been made. 
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4 Public-Coin Protocols 


In this section we show how to convert any distributed protocol in which parties do not have private 
inputs into a public-coin protocol. 

Theorem 4.1. Every protocol 11 in which parties do not have private inputs can be transformed 
into a protocol IT' which simulates IT and such that the messages sent in IT' are uniformly random. 
Moreover, the protocol 11' preserves the security of 11 and its round complexity. 

Proof Sketch. Let 11 be an n-party protocol in which parties do not have private inputs. Let 
d = d{n) be the number of communication rounds and let us assume for simplicity that each 
party speaks at each round. Assume, without loss of generality, that each party samples its own 
randomness ahead of time, when the protocol begins. That is, for every j £ [n], party Pj has 
randomness rj G {0,1}^, where we let I be the maximum number of random bits used by all parties 
during the protocol. At each round i, party Pj evaluates a function /jj which depends on the 
transcript of the protocol so far, which we denote by Transj_i (i.e., Transj_i are the messages sent 
by all parties in rounds 1,... ,i — 1), and on its own randomness Vj. Namely, the message sent at 
round i G [d] by party Pj is 


mj = /i,j(TranSi_i, rj). 

Before we define the protocol 11', we introduce some notation. We say that a random string r 
is good with respect to transcript Transj and party Pj if when it is used as the randomness of that 
party, it generates the same exact transcript. 

Next, we define the protocol LI'. In round i G [d], party Pj sends a uniformly random string 
Uij of length 2^. Specifically, each party sends a uniformly random permutation of all possible f-bit 
strings. At the end, after the df^ round ends, we interpret each Uij as a collection of many possible 
random strings for party Pj, choose one (say the first), denoted by rij, which is good with respect 
to the transcript so far and think of the (i, j)**^ message as /ij(TranSj_i, rjj). 

First, we observe that the round complexity of 11' is the same as that of 11. Next, we claim that 
in an honest execution (i.e., in the absence of an adversary), the distribution of the output of the 
protocol n is identical to that of 11' (namely, 11' simulates 11). We first note that conditioned on 
the fact that a good randomness was found for all d • n messages, the above distributions are the 
same. This is true since in 11' each party sends all possible i bit strings in a uniformly random order. 
Second, we note that, since each party sends all possible .^-bit strings in each round, there always 
exists good randomness. 

Next, we argue that the protocol 11' is as secure as 11. This follows by a simple hybrid argument. 
We define a sequence of protocols II^') for i G {0,... , dn} in which until (and including) the 
message, the parties act according to 11 and in the rest of the protocol they act according to 11'. 
Notice that 11' = fl^*^) and 11 = II^'^''). We argue that for every i G [dn], the “advantage” of any 
in over any in 11*'*“^^ is zero. 

To this end, observe that the first i — 1 messages are distributed exactly the same. In the next 
message (i.e., the one) the protocols deviate. Assume party Pj speaks in both. While in 11^'^ the 
message sent is some function of the transcript so far and the initial randomness Pj has, in II^*"^) it 
is a random permutation of all possible random strings. We first note that if party Pj is corrupted, 
then both the adversary 4.^'^ and can force any message in the name of Pj and thus they 

have the same power in both protocols (recall that after the i^^ message, the protocols are identical). 
Hence, assume that Pj is not corrupted. In this case, the adversary sees a message which is 
a function of the transcript up to that point and the (private) randomness of that party, whereas 
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sees a message which is a random permutation of all possible random strings. The theorem 
now follows by observing that one adversary can simulate the view of the other, and recalling that 
the rest of the messages in both protocols are identically distributed. ■ 
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